WO2022249399A1 - Dispositif, procédé et programme de détection d'attaque de refus de service - Google Patents

Dispositif, procédé et programme de détection d'attaque de refus de service Download PDF

Info

Publication number
WO2022249399A1
WO2022249399A1 PCT/JP2021/020232 JP2021020232W WO2022249399A1 WO 2022249399 A1 WO2022249399 A1 WO 2022249399A1 JP 2021020232 W JP2021020232 W JP 2021020232W WO 2022249399 A1 WO2022249399 A1 WO 2022249399A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
request
responses
communication device
count value
Prior art date
Application number
PCT/JP2021/020232
Other languages
English (en)
Japanese (ja)
Inventor
伸之 千綿
寛 吉田
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to JP2023523865A priority Critical patent/JPWO2022249399A1/ja
Priority to PCT/JP2021/020232 priority patent/WO2022249399A1/fr
Publication of WO2022249399A1 publication Critical patent/WO2022249399A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • One aspect of the present invention is to interfere with the services provided by the website by intentionally overloading resources such as the server device and network of the website and exploiting vulnerabilities, so-called DoS (Denial of Service) attack detection device, method and program used to detect denial of service attacks.
  • DoS Delivery of Service
  • Non-Patent Document 1 flow monitoring that centrally monitors the traffic of the entire network to detect malicious attacks, and monitoring the content (payload) of all IP packets
  • packet monitoring for detecting malicious attacks by viruses and the like.
  • DoS attacks targeting server devices of specific websites include, for example, request attacks using requests and response attacks using responses.
  • the request attack is to send a large number of malicious attack requests to a specific site.
  • request attacks for example, the number of identical requests received within a certain period of time is counted, and when the number of received requests exceeds a threshold, the group of requests is regarded as an attack request and blocked. It is possible.
  • a response attack sends a large amount of malicious attack responses from the communication destination to the server device in response to a request sent from the server device of a specific site.
  • the tuple of the response is detected, for example, by a firewall (Fire Wall: FW) placed on the communication path, and if the response is determined to be invalid based on the detection result, the response is blocked. It is possible to respond by
  • the firewall determines whether the large number of responses are due to retransmission of normal responses or for attack purposes. is.
  • the reason for this is that normally, the response retransmission cycle is arbitrarily set for each communication partner terminal, and the transmission delay in the network is not constant, so it is difficult to judge normality/attack by monitoring only the response retransmission interval. .
  • the attack response can be determined by analyzing in detail the content of the received response packet by the server device.
  • the analysis process requires a large processing load and processing time, the processing capacity of the server apparatus is used, and there is a problem that countermeasures against attack responses tend to be delayed.
  • the present invention has been made in view of the above circumstances, and aims to provide a technique for detecting a malicious attack using valid responses on a communication path in a short period of time with relatively simple processing. .
  • the denial of service attack detection device or method according to the present invention for solving the above problems is a system that transmits data via a communication path between a first communication device and a second communication device,
  • the denial of service attack detection device arranged in the communication path includes a first count processing unit, a first determination processing unit, a request delay processing unit, and a second count processing. and a second determination processing unit.
  • a first count processing unit counts the number of a plurality of responses transmitted from the second communication device in an arbitrary cycle in response to the first request transmitted from the first communication device, get the count value of
  • the first determination processing unit determines whether the first count value per predetermined unit time exceeds a preset first threshold value, and determines whether the first count value exceeds the When it is determined that the first threshold is exceeded, the plurality of responses to the first request are determined as a sequence suspected of an attack, and a suspected attack monitoring state is set.
  • a request delay processing unit delays a second request transmitted from the first communication device by a preset time while the suspected attack monitoring state is set, and then transmits the second request to the second communication device. Forward.
  • the second count processing unit counts the number of responses transmitted from the second communication device to the second request to obtain a second count value. determining whether or not the second count value per unit time exceeds a second threshold, and determining that the second count value exceeds the second threshold case, the plurality of responses to the second request are determined to be an attack sequence, and information indicating that an attack has been detected is output.
  • FIG. 1 is a diagram showing an example of a sequence when a response is normally transmitted from a communication destination device.
  • FIG. 2 is a diagram showing an example of a sequence when an attack response is sent from a communication destination device.
  • FIG. 3 is a sequence diagram showing an example of detection processing according to an embodiment of the present invention when a response suspected of an attack is sent from a communication destination device.
  • FIG. 4 is a schematic block diagram of a data communication system provided with an inter-network connection device having the function of a denial of service attack detection device according to one embodiment of the present invention.
  • FIG. 5 is a block diagram showing the hardware configuration of the inter-network connection device shown in FIG.
  • FIG. 6 is a block diagram showing the software configuration of the inter-network connection device shown in FIG. FIG.
  • FIG. 7 is a flow chart showing a processing procedure and processing contents of packet transfer processing by the inter-network connection device shown in FIG.
  • FIG. 8 is a flow chart showing a processing procedure and processing contents of determination processing by the inter-network connection device shown in FIG.
  • FIG. 9 is a flow chart showing a processing procedure and processing contents of a suspected attack detection judgment processing in the judgment processing shown in FIG.
  • FIG. 10 is a flowchart showing a processing procedure and processing contents of attack detection determination processing in the determination processing shown in FIG.
  • FIG. 11 is a sequence diagram showing overall processing operations by the inter-network connection device shown in FIG.
  • FIG. 1 and 2 show an example of the connection sequence executed between the server device SV and the communication destination device TM.
  • FIG. 2 shows the sequence when the malicious communication destination device TM(N) transmits the attack response.
  • the communication destination device TM is a device TM(T) used by a legitimate user
  • the communication destination device TM(T) sends a response SYN-ACK to the request SYN sent by the server device SV, as shown in FIG. to send.
  • the communication destination device TM(T) after transmission of the response SYN-ACK, the communication destination device TM(T), in consideration of network delays, performs a retransmission sequence indicated by ACK(T) each time a predetermined time set in the timer elapses. send a response SYN-ACK to .
  • the timing of the timer is arbitrarily set for each communication destination device TM(T).
  • the server device SV receives a valid response SYN-ACK, it returns an acknowledgment ACK, after which a communication link is established between the server device SV and the communication destination device TM, enabling data transmission between the devices. become.
  • a malicious service disruptor repeatedly sends a large number of attack responses SYN-ACK in response to requests SYN from the communication destination device TM(N), as shown in ACK(N) in Fig. 2, for example.
  • an excessive load is applied to the server device SV and the communication path leading to the server device SV, and the server device SV falls into a state where it is difficult to perform data communication.
  • the inter-network connection device LT arranged between the server device SV and the network has a firewall (FW) function, the firewall function enables/disables the attack response SYN-ACK. is determined.
  • the attack response SYN-ACK is blocked thereafter. However, if the attack response SYN-ACK is determined to be valid, the attack response SYN-ACK continues to be transmitted to the server device SV, and the server device SV continues to be disturbed.
  • FIG. 3 is a sequence diagram showing an example thereof.
  • the network connecting device LT counts the number of responses SYN-ACK sent from the communication destination device TM. Then, when the number of counts per unit time exceeds the threshold value, the response SYN-ACK is determined to be a "response suspected of attack", and the "suspected attack monitoring state" is set.
  • the network connection device LT receives the request SYN by a predetermined amount TD within a range that does not result in a communication error. After being delayed, it is transferred to the destination device TM. Then, if the number of responses SYN-ACK per unit time transmitted from the communication destination device TM in response to the request SYN decreases below a predetermined value, the response SYN-ACK is determined to be a normal response, and the "attack Suspicious monitoring state” is canceled and the normal connection sequence continues. On the other hand, if the number of responses SYN-ACK per unit time is still equal to or greater than the predetermined value, the response SYN-ACK is determined to be an attack response and notified to that effect to the server device SV.
  • the network connection device LT retransmits the above DoS attack with normal responses. can be detected by distinguishing from
  • FIG. 4 is a diagram showing an example of a data communication system in which the functions of a denial of service attack detection device according to an embodiment of the present invention are provided in an inter-network connection device.
  • a data communication system according to one embodiment enables transmission of information data, for example, between an internal network LNW operated by a company or organization and a communication destination device TM used by an external general user via a wide area network INW. It is intended to be
  • the wide area network INW comprises, for example, the Internet and an access network for accessing the Internet.
  • the in-house network LNW is composed of, for example, a LAN (Local Area Network) and a wireless LAN.
  • the in-house network LNW is provided with a server device SV and an inter-network connection device LT.
  • the server device SV has functions as, for example, a Web server device, and includes, for example, a service for providing various information, a service for collecting, accumulating, and managing various user data, and performing predetermined analysis and processing on data collected from users. It provides a service that performs editing processing and provides it to the user.
  • the network connection device LT is composed of, for example, a gateway or a router.
  • the inter-network connection device LT has, as basic functions, a data transmission function between the server device SV and a plurality of communication terminals (not shown) provided in the in-house network LNW; and a data transmission function to and from the wide area network INW.
  • the in-house network LNW may be, for example, a home network operated by an individual user other than one operated by a company or organization.
  • a user terminal such as a personal computer is used instead of the server apparatus SV be done.
  • the communication destination device TM is, for example, a personal computer or a server device computer, and is originally used to receive various services provided by the server device SV of the internal network LNW.
  • a mobile information terminal such as a smart phone or a tablet terminal may be used as the communication destination device TM.
  • Inter-network connection device LT 5 and 6 are block diagrams showing the hardware configuration and software configuration of the network connection device LT, respectively.
  • the network connection device LT includes a control section 1 using a hardware processor such as a central processing unit (CPU).
  • a storage unit having a program storage section 2 and a data storage section 3 and a communication I/F 4 are connected to the control section 1 via a bus 5 .
  • the communication I/F 4 transmits and receives data to and from an external communication destination device TM connected to the wide area network INW according to the communication protocol defined by the wide area network INW and the in-house network LNW. , and data transmission/reception between the server device SV and the communication terminal in the in-house network LNW.
  • communication I/F4 is provided with the buffer which temporarily stores a received packet for transmission/reception of the said data.
  • the program storage unit 2 includes, for example, a non-volatile memory such as a HDD (Hard Disk Drive) or SSD (Solid State Drive) that can be written and read at any time as a storage medium, and a non-volatile memory such as a ROM (Read Only Memory).
  • a non-volatile memory such as a HDD (Hard Disk Drive) or SSD (Solid State Drive) that can be written and read at any time as a storage medium
  • a non-volatile memory such as a ROM (Read Only Memory).
  • middleware such as an OS (Operating System)
  • OS Operating System
  • the data storage unit 3 is, for example, a combination of a non-volatile memory such as an HDD or an SSD that can be written and read at any time and a volatile memory such as a RAM (Random Access Memory) as a storage medium.
  • a counter information storage unit 31, a delay information storage unit 32, and a suspected attack monitoring state storage unit 33 are provided as main data storage areas necessary for carrying out the embodiment.
  • the counter information storage unit 31 is used to store a count value representing the number of responses transmitted from the communication destination device TM in the connection sequence. Specifically, this count value is a value obtained by counting the number of responses received per unit time for each of the same 5-tuples.
  • the delay information storage unit 32 is used to store a "request delay state" indicating whether or not a request transmitted from the server device SV in the connection sequence is to be delayed.
  • the suspected attack monitoring state storage unit 33 is used to store the "suspected attack monitoring state" indicating that a suspected attack is being monitored.
  • the control unit 1 includes a packet monitoring processing unit 11, a response number counting processing unit 12, a request delay processing unit 13, and a determination process as processing functions necessary for executing various processes according to one embodiment of the present invention. and an attack detection notification processing unit 15 .
  • the processes by these processing units 11 to 15 are realized by causing the CPU to execute the programs stored in the program storage unit 2.
  • FIG. 1
  • the packet monitoring processing unit 11 monitors the contents of the received packet and determines whether the received packet is a request or a response. If the received packet is determined to be a response, the validity/invalidity of the response is determined based on the 5-tuple of the received packet. Then, when it is determined to be valid, the 5-tuple of the number of responses is passed to the response number count processing unit 12 .
  • the 5-tuple of a packet is header information including the source IP/port number, destination IP/port number, and protocol number of the packet.
  • the packet monitor processing unit 11 notifies the request delay processing unit 13 of a request delay processing request. Then, when a request delay processing completion notification is returned from the request delay processing unit 13 in response to this notification, a process of instructing the communication I/F 4 to transfer the received packet is performed.
  • the response number count processing unit 12 When receiving the 5 tuples of the received response from the packet monitoring processing unit 11, the response number count processing unit 12 counts the same 5 tuples as the 5 tuples stored in the counter information storage unit 31 per unit time. The count value per unit time of the received responses with the same value, that is, the 5-tuple, is added.
  • the request delay processing unit 13 stores information representing the "request delay state" in the delay information storage unit 32 when receiving a request delay instruction from the determination processing unit 14, which will be described later.
  • a request delay processing request is received from the packet monitoring processing unit 11 in this state, waiting processing is performed according to the delay time information stored in the delay information storage unit 32, and when the waiting processing is completed, request delay processing is performed. A process of returning a completion notification to the packet monitoring processing unit 11 is performed.
  • the determination processing unit 14 is periodically activated at a preset cycle, and has the following various processing functions. (1) First, based on the state information stored in the suspected attack monitoring state storage unit 33, it is determined whether or not the suspected attack is being monitored. Then, if the suspected attack is not being monitored, the count value per unit time of the received responses having the same 5-tuple stored in the counter information storage unit 31 is compared with the first threshold, and the received response is a response that suspects an attack. As a result of this determination, when it is determined that the response is suspected of an attack, the information indicating the state of suspected attack monitoring is stored in the attack suspected monitoring state storage unit 33, and the request delay processing unit 13 is notified of the request delay. The process of notifying instructions.
  • the 5-tuples stored in the counter information storage unit 31 are the same per unit time of the received response. is compared with a second threshold to determine whether the received response is a normal response or an attack response. Then, if it is an attack response, a process of transmitting information representing the detection result to that effect to the attack detection notification processing unit 15 .
  • the received response is a normal response
  • the information indicating the state of suspected attack monitoring set in the suspected attack monitoring state storage unit 33 is changed to information indicating the normal monitoring state, and the request A process of sending a request delay instruction cancellation notification to the delay processing unit 13 .
  • the attack detection notification processing unit 15 When the attack detection notification processing unit 15 receives information indicating that an attack response has been detected from the determination processing unit 14, it performs processing for transmitting an attack detection notification to the server device SV.
  • FIG. 7 to 10 are flow charts showing processing procedures and processing contents of processing executed by the control unit 1 of the network connection device LT
  • FIG. 11 is a sequence diagram showing the overall processing operation of the network connection device LT.
  • the control unit 1 monitors reception of packets in step S10 shown in FIG. Then, when the received packet is passed from the communication I/F 4, it is determined whether the received packet is a request or a response based on the content of the received packet in step S11. As a result of this determination, if the received packet is a request transmitted from the server device SV, the request delay processing request is notified to the request delay processing unit 13 in step S12.
  • the request delay processing unit 13 determines whether or not the information representing the "request delay state" is stored in the delay information storage unit 32 in steps S13 and S14. do. Then, if the information indicating the "request delay state" is not saved, the processing completion notification is sent to the packet monitor processing unit 11 without executing the delay processing.
  • the packet monitoring processing unit 11 receives the processing completion notification, it gives a received packet transfer instruction to the communication I/F 4 in step S17. As a result, the received packet held in the buffer of communication I/F4 is transmitted from communication I/F4 to wide area network INW.
  • step S11 the packet monitoring processing unit 11 determines whether the response is valid or invalid based on the received 5-tuple of the response. Determine whether it is As a result of this determination, if the response is invalid, the response is discarded without being transferred.
  • the packet monitor processing unit 11 passes the 5-tuple of the received response to the response count processing unit 12 as received response information in step S21.
  • the response count processing unit 12 reads the count value per unit time of the same 5 tuples as the 5 tuples from the counter information storage unit 31 in step S22. Then, the read count value is added, that is, incremented in step S23. As a result, the number of reception responses with the same 5-tuple received per unit time is counted.
  • the packet monitoring processing unit 11 gives a received packet transfer instruction to the communication I/F 4 in step S24.
  • the reception response packet held in the buffer of the communication I/F 4 is transmitted from the communication I/F 4 to the wide area network INW.
  • the control unit 1 of the inter-network connection device LT executes the following determining process for the received response in parallel with the process of monitoring the received packet.
  • step S30 Determining whether to execute suspected attack detection determination or attack detection determination
  • the control unit 1 of the inter-network connection device LT under the control of the determination processing unit 14, performs step Whether or not the determination timing has come is monitored at a cycle preset by S30. In this state, when the determination timing comes, the determination processing unit 14 reads the count value for each 5-tuple of the received response from the counter information storage unit 31 in step S31. Further, in step S32, the determination processing unit 14 determines whether the information indicating the "attack suspected monitoring state" or the "normal monitoring state" is stored in the suspected attack monitoring state storage unit 33. .
  • step S33 the process proceeds to step S33, and the "suspected attack detection determination" for determining whether or not the received response is a response suspecting an attack process".
  • step S34 determines whether the received response is an attack response or a normal response. Judgment processing” is executed.
  • the determination processing unit 14 as shown in FIG. Determine whether a threshold of 1 is exceeded.
  • the first threshold is set to, for example, the maximum number of normal responses received per unit time.
  • the determination processing unit 14 determines that the received response is not a response suspecting an attack, and terminates the determination processing as it is.
  • the determination processing unit 14 determines that the received response corresponds to a response suspected of an attack, and first notifies the request delay processing unit 13 of a request delay instruction in step S333.
  • the request delay processing unit 13 Upon receiving the request delay instruction, the request delay processing unit 13 causes the delay information storage unit 32 to store information representing the "request delay state" in step S334.
  • the determination processing unit 14 changes the "normal monitoring state" stored in the attack suspected monitoring state storage unit 33 to the "attack suspected monitoring state” in step S335. Then, in step S336, the determination processing unit 14 updates the count value of the number of received corresponding responses stored in the counter information storage unit 31 from the previous value to the current value.
  • step S12 notifies the request delay processing unit 13 of the request delay processing request. Then, the request delay processing unit 13 determines whether or not information representing the "request delay state" is stored in the delay information storage unit 32 in steps S13 and S14.
  • the request delay processing unit 13 proceeds to step S15 and performs a waiting process for delaying transfer of the request by the delay time according to the delay time information stored in the delay information storage unit 32 .
  • the delay time is set within a range in which the communication destination device TM does not judge the request as a communication error.
  • the request delay processing unit 13 sends a request delay processing completion notice to the packet monitor processing unit 11 at that time.
  • the packet monitoring processing unit 11 Upon receiving the request delay processing completion notification, the packet monitoring processing unit 11 issues a received packet transfer instruction to the communication I/F 4 in step S17. As a result, the received packet held in the buffer of communication I/F4 is transmitted from communication I/F4 to wide area network INW.
  • this request is delayed for a certain period of time by the network connection device LT and then transferred to the communication destination device TM.
  • the second threshold value is set to the maximum number of retransmissions of normal responses per unit time by the communication destination device TM according to the retransmission timer after the delay processing of the request. Note that the second threshold may be set to the same value as the first threshold.
  • the determination processing unit 14 determines that the received response is a response transmitted from the normal communication destination device TM(T). Then, the determination processing unit 14 shifts to step S344, and changes the information indicating the state of suspected attack monitoring set in the attack suspected monitoring state storage unit 33 to information indicating the normal monitoring state. Further, in step S345, the request delay processing unit 13 is sent a cancellation notification of the request delay instruction previously notified in the attack suspect detection determination processing.
  • the determination processing unit 14 determines that the received response is malicious communication destination device TM(N). determined to be an attack response sent from Then, in step S343, the attack detection notification processing unit 15 is notified of information indicating that the attack response has been detected.
  • the attack detection notification processing unit 15 transmits an attack detection notification to, for example, the server device SV.
  • the server device SV receives the attack detection notification, the server device SV performs a corresponding process such as refusing to receive the attack response.
  • the network connection device LT counts the number of responses SYN-ACKs transmitted from the communication destination device TM, and the number of counts per unit time exceeds the first threshold value.
  • the above response SYN-ACK is judged to be a "response suspected of an attack” and the "suspected attack monitoring state" is set.
  • the request SYN is delayed by a predetermined amount TD within a range that does not cause a communication error, and then transferred to the communication destination device TM.
  • the above response SYN-ACK is judged to be a normal response, the above "suspected attack monitoring state" is canceled, and normal operation is resumed. Continue the connection sequence.
  • the response SYN-ACK is determined as an attack response, and the server device SV is notified to that effect.
  • the network connecting device LT can perform the above-mentioned DoS attack. It is possible to detect the retransmission of a response to be detected while distinguishing it from the retransmission of a normal response.
  • the number of responses received is counted based on the 5-tuple of the received packet, and the presence or absence of an attack is determined based on the count value, so detailed monitoring and analysis of the contents of the payload of the packet It is possible to determine whether or not there is an attack without performing any processing. As a result, the processing load and processing delay of the network connection device LT can be suppressed, thereby reducing the price of the network connection device LT. It is possible to reduce the processing load when performing analysis processing for detecting attacks.
  • the control unit 1 of the network connection device LT may be provided with a verification processing unit for verifying the determination result of the presence or absence of an attack, and the threshold value may be variably controlled based on the verification result by this verification processing unit. good.
  • the function of the denial-of-service attack detection device according to the present invention is provided in the inter-network connection device LT in the in-house network LNW such as a gateway or router.
  • the function of the denial-of-service attack detection device is not limited to this, and the function of the denial-of-service attack detection device may be provided in a communication device in the wide area network INW or a relay device or the like arranged on the communication path between the wide area network INW and the in-house network LNW. good.
  • the type and functional configuration of the denial-of-service attack detection device, the processing procedure and processing contents of the denial-of-service attack detection processing, etc. can be variously modified without departing from the gist of the present invention.
  • the present invention is not limited to the above-described embodiments as they are, and can be embodied by modifying the constituent elements without departing from the gist of the invention at the implementation stage.
  • various inventions can be formed by appropriate combinations of the plurality of constituent elements disclosed in the above embodiments. For example, some components may be omitted from all components shown in the embodiments.
  • constituent elements of different embodiments may be combined as appropriate.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Un aspect de la présente invention est tel que lorsque le nombre de réponses multiples transmises par un second dispositif de communication à un cycle arbitraire sont comptées, les réponses étant celles à une première requête transmise par un premier dispositif de communication, et leur valeur de comptage par unité de temps a été déterminée comme dépassant une première valeur seuil, les multiples réponses sont déterminées comme étant une séquence suspectée d'être une attaque et un état de surveillance de suspicion d'attaque est défini. Dans ledit état, lorsqu'une seconde requête a été transmise par le premier dispositif de communication, la seconde requête est transférée au second dispositif de communication après avoir été retardée pendant une période prescrite. De plus, lorsque le nombre de réponses multiples à la seconde requête transmise par le second dispositif de communication sont comptées, et leur valeur de comptage par unité de temps a été déterminée comme dépassant une seconde valeur seuil, les multiples réponses à la seconde requête sont déterminées comme étant une séquence d'attaque et des informations indiquant cette dernière sont émises.
PCT/JP2021/020232 2021-05-27 2021-05-27 Dispositif, procédé et programme de détection d'attaque de refus de service WO2022249399A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2023523865A JPWO2022249399A1 (fr) 2021-05-27 2021-05-27
PCT/JP2021/020232 WO2022249399A1 (fr) 2021-05-27 2021-05-27 Dispositif, procédé et programme de détection d'attaque de refus de service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/020232 WO2022249399A1 (fr) 2021-05-27 2021-05-27 Dispositif, procédé et programme de détection d'attaque de refus de service

Publications (1)

Publication Number Publication Date
WO2022249399A1 true WO2022249399A1 (fr) 2022-12-01

Family

ID=84229628

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/020232 WO2022249399A1 (fr) 2021-05-27 2021-05-27 Dispositif, procédé et programme de détection d'attaque de refus de service

Country Status (2)

Country Link
JP (1) JPWO2022249399A1 (fr)
WO (1) WO2022249399A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117118752A (zh) * 2023-10-23 2023-11-24 山东爱书人家庭教育科技有限公司 一种信息抗攻击的方法、系统、装置及介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006331015A (ja) * 2005-05-25 2006-12-07 Mitsubishi Electric Corp サーバ装置保護システム
EP1975829A1 (fr) * 2007-03-28 2008-10-01 British Telecmmunications public limited campany Identification des conditions de trafic de réseau anormal
JP2013223005A (ja) * 2012-04-13 2013-10-28 Nippon Telegr & Teleph Corp <Ntt> DoS攻撃検出装置

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006331015A (ja) * 2005-05-25 2006-12-07 Mitsubishi Electric Corp サーバ装置保護システム
EP1975829A1 (fr) * 2007-03-28 2008-10-01 British Telecmmunications public limited campany Identification des conditions de trafic de réseau anormal
JP2013223005A (ja) * 2012-04-13 2013-10-28 Nippon Telegr & Teleph Corp <Ntt> DoS攻撃検出装置

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117118752A (zh) * 2023-10-23 2023-11-24 山东爱书人家庭教育科技有限公司 一种信息抗攻击的方法、系统、装置及介质
CN117118752B (zh) * 2023-10-23 2024-01-09 山东爱书人家庭教育科技有限公司 一种信息抗攻击的方法、系统、装置及介质

Also Published As

Publication number Publication date
JPWO2022249399A1 (fr) 2022-12-01

Similar Documents

Publication Publication Date Title
US11818167B2 (en) Authoritative domain name system (DNS) server responding to DNS requests with IP addresses selected from a larger pool of IP addresses
US9578055B1 (en) Thwarting drone-waged denial of service attacks on a network
US8584236B2 (en) Method and apparatus for detecting abnormal traffic in a network
US8392991B2 (en) Proactive test-based differentiation method and system to mitigate low rate DoS attacks
US8904535B2 (en) Proactive worm containment (PWC) for enterprise networks
US10097520B2 (en) Method and apparatus for causing delay in processing requests for internet resources received from client devices
US9843590B1 (en) Method and apparatus for causing a delay in processing requests for internet resources received from client devices
KR20110089179A (ko) 네트워크 침입 방지
Abramov et al. TCP Ack storm DoS attacks
CN110266678B (zh) 安全攻击检测方法、装置、计算机设备及存储介质
Jamjoom et al. Persistent dropping: An efficient control of traffic aggregates
KR20120060655A (ko) 서버 공격을 탐지할 수 있는 라우팅 장치와 라우팅 방법 및 이를 이용한 네트워크
Hugelshofer et al. OpenLIDS: a lightweight intrusion detection system for wireless mesh networks
Kavisankar et al. A mitigation model for TCP SYN flooding with IP spoofing
Mohammadi et al. SYN‐Guard: An effective counter for SYN flooding attack in software‐defined networking
WO2002025402A2 (fr) Systemes et procedes de protection de reseaux et dispositifs contre les attaques de deni de services
WO2022249399A1 (fr) Dispositif, procédé et programme de détection d&#39;attaque de refus de service
Bala et al. Quality based Bottom-up-Detection and Prevention Techniques for DDOS in MANET
Kumar et al. An analysis of tcp syn flooding attack and defense mechanism
JP7363503B2 (ja) 情報処理装置、情報処理方法、および情報処理システム
Abbas Securing the network against malicious programmable switches
KR20110080971A (ko) 서비스 거부 공격 방지 방법 및 시스템
KR20120059914A (ko) 분산 서비스 거부 공격 탐지용 제품에 대한 평가 방법 및 평가 장치
Huang et al. A behavior-based ingress rate-limiting mechanism against DoS/DDoS attacks
Bala et al. Quality based Bottom-up-Detection and Prevention Techniques for DDOS in MANET

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21943046

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023523865

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE